From af39e2d8b9b7d5d3fbd67a9fd3e8edcf11d3cee2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Antonio=20Y=C3=A1=C3=B1ez=20Jim=C3=A9nez?=
<wiki@codigojose.com>
Date: Thu, 2 Jun 2022 09:16:04 +0000
Subject: [PATCH] docs: upload assets/files/openvpn-server/nftables.conf
---
assets/files/openvpn-server/nftables.conf | 53 +++++++++++++++++++++++
1 file changed, 53 insertions(+)
create mode 100644 assets/files/openvpn-server/nftables.conf
diff --git a/assets/files/openvpn-server/nftables.conf b/assets/files/openvpn-server/nftables.conf
new file mode 100644
index 0000000..621262d
--- /dev/null
+++ b/assets/files/openvpn-server/nftables.conf
@@ -0,0 +1,53 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=6174
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.10.10.0/24
+
+table inet filter {
+
+
+ chain input {
+ # allow OpenVPN VPN connections to the Server
+ udp dport $vpn_port accept
+ }
+
+ chain forward {
+ #Drop forwarded packets if they are not matched
+ type filter hook forward priority 0; policy drop;
+
+ # allow existing connections
+ ct state related,established accept
+
+ # allow packets from vpn interface
+ iifname $vpn_if oifname $outside_if accept
+
+ }
+
+ chain output {
+ # Security drops
+ ct state invalid counter drop
+ oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+ oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+ }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+ chain postrouting {
+ type nat hook postrouting priority 100;
+
+ # enable NAT for VPN
+ iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority 0;
+
+ }
+
+}
\ No newline at end of file